1. Field of the Invention
The present invention relates to data networks in general, and more particularly to the management of multiple data streams such as within virtual private networks using secure socket layer protection (SSLVPN).
2. Description of the Related Art
Virtual private networks (VPNs) are a tool for creating logically separate communications networks within existing communications networks. VPNs provide isolation from other data traffic that is communicated in tandem on the hardware and cabling in the existing communications network. Additionally, a VPN can be secured using cryptographic techniques, so that the data communicated on a user's VPN is protected from intrusion by other users on the existing communication network. Such protected VPNs have been helpful to users who wish to establish secure communications over public data networks such as the Internet. One technique for securing a VPN is the Secure Internet Protocol (IPSec). Another technique is to use the Secure Socket Layer protocol (SSL) to establish encryption-protected communications in a VPN. Such private networks are generally referred to as SSLVPNs. A host site may employ several servers, and may offer secure connectivity through SSLVPNs. In order to streamline the routing of incoming traffic, the servers may share a common gateway device that receives all incoming traffic and then forwards each incoming data stream to an appropriate server. The gateway may also be used to streamline the transmission of outgoing data streams. Using gateways in this manner can facilitate the use of a single address for the host site: client connecting to the various servers at a host site need to be apprised only of the address of the gateway device.
Various challenges exist in the implementation of SSLVPN gateways. For example, a host site generally hosts more than one SSLVPN session, with each SSLVPN session providing private protected communications with one or more remote users. At the gateway, incoming data is first decrypted, removing the SSL protection of the data. The unprotected data is then examined by the gateway to determine where it should be directed in the host site. Different data streams are directed to different local servers at the host site. Depending on the contents on information in the unprotected data, the host site then forwards the data to an appropriate local server for further processing.
The performance of an SSLVPN network can be degraded if the number of users or number of sessions becomes too large. If the amount of incoming and outgoing data exceeds the capacity of the gateway hardware to perform encryption, decryption, and internal directing, then the throughput of the SSLVPNs is reduced, affecting the performance of the system as seen by the users. It would be helpful to have techniques for efficiently addressing the needs of large numbers of users of a secure network. It would also be valuable to meet these needs without unnecessary duplication of gateway hardware and software.